SYSTEM Cited by 1 source
AWS VPC Resolver¶
The AWS VPC Resolver (also called AmazonProvidedDNS or the
.2 resolver) is the DNS resolver AWS exposes inside every VPC,
reachable at the base IP of the VPC plus 2 (for a VPC with
base 10.0.0.0, the resolver is at 10.0.0.2). It resolves names
in VPC-linked Route 53 private hosted zones, forwards non-local
lookups to public DNS, and handles reverse-DNS lookups for both
private and public IP ranges.
Rate limit¶
The VPC resolver is rate-limited to 1,024 packets per second per elastic network interface (ENI). The limit is not DNS-specific in terms of query count — it counts packets, including retries. When an instance exceeds the limit, AWS drops the excess packets at the VPC level (clients see no reply, which Unbound etc. interpret as timeouts and retry, which compounds the overflow).
See AWS docs: VPC DNS quotas.
Architectural implication: per-ENI not per-VPC¶
Because the limit is per-ENI, not per-VPC or per-subnet, the fix for saturation is to distribute the DNS load across more ENIs rather than try to raise the limit. See patterns/distribute-dns-load-to-host-resolver for the Stripe canonical instance of this topological fix: move reverse-DNS forwarding from a centralised DNS-server cluster (few ENIs) to every application host's local resolver (many ENIs).
Seen in¶
- Stripe — The secret life of DNS packets (2024-12-12). Stripe saturated the 1,024-pps limit on its central DNS-server cluster when a Hadoop job performed reverse-DNS lookups on Cloudflare IP space. Measured: ~1,023 pps average reply rate from the VPC resolver during spikes (~exactly the AWS cap); 60-second tcpdump saw 257,430 outbound packets to the resolver but only 61,385 replies. Fix: distribute reverse-lookup forwarding to leaf hosts.